1. Field of the Invention
The present invention relates to a malicious access-detecting apparatus, a malicious access-detecting method, a malicious access-detecting program, and a distributed denial-of-service attack-detecting apparatus, and more particularly to a malicious access-detecting apparatus, a malicious access-detecting method, and a malicious access-detecting program, for detecting malicious access before it causes a network problem, and a distributed denial-of-service attack-detecting apparatus for detecting a distributed denial-of-service attack before it actually starts an attack.
2. Description of the Related Art
With the recent development of information communication technology, services has come to be widely provided via the Internet. For example, service providers set up servers accessible via the Internet for providing various services to clients connected to the servers via the Internet. Since the servers providing services are accessible via the Internet, they are often become targets of an attack through unauthorized or malicious access. Therefore, it is a necessary technique to detect malicious access in early timing before the attack occurs.
Basically, it is possible to detect unauthorized or malicious access by detecting an access request which includes a command for a malicious purpose. However, some types of malicious access carry out an attack using a combination of a plurality of regular commands. The malicious access of this kind cannot be detected only by monitoring individual packets.
Particularly, there have been occurring distributed denial-of-service (hereinafter also referred to as “DDoS”) attacks on lots of web sites for several years.
The DDoS attack section an attack performed by sending a large amount of packets to one target server from a plurality of stepping stones (apparatuses which are compromised via the Internet by a malicious user). The target server attacked by DDoS is overloaded by a flood of packets simultaneously received, and in the worst case, the server is compelled to stop its functions.
However, the packets sent by the above-mentioned attack are regular or normal packets, and therefore the DDoS attack cannot be detected only by the monitoring of individual packets. Further, since the DDoS attack is executed via the stepping stones, it is difficult to identify a site terminal used by an attacking person, and therefore difficult to work out a countermeasure against the attack.
To overcome the problem, there has been employed a method of detecting and blocking the malicious access by causing a plurality of border routers to calculate the number of packets having the same recipient and exchange results of the calculations between the border routers to thereby monitor packets flowing in via the border routers, determining that an abnormally large number of packets flowing in to the same address are produced for a DDoS attack, and suppressing the flow-in of packets (see e.g. Japanese Unexamined Patent Publication (Kokai) No. 2003-289337 (paragraph numbers [0031] to [0047], and FIG. 1).
However, the conventional malicious access-detecting method has the problem that it is difficult to predict the whole aspect of malicious access, particularly an attack threatened to occur in the future. More specifically, while the conventional malicious access-detecting method detects malicious access by monitoring individual packets, it is impossible to grasp the whole aspect of malicious access which is executed by malicious apparatuses formed by the stepping stones, as in the DDoS attack representing this type of malicious access. This makes it impossible to predict the scale of attack and that of resulting damage, and difficult to provide an effective countermeasure.
Particularly, the scale of a DDoS attack is increased as the number of stepping stones is increased. Therefore, if the whole aspect of a possible attack can be known before the start of an actual attack, it is possible to take an effective countermeasure. However, it is impossible to grasp the whole aspect of an attack through detection of malicious access by the conventional method, and therefore the scale of the attack and that of the resulting damage cannot be predicted, which makes it impossible to take an effective countermeasure.
Further, in the conventional method of detecting a DDoS attack, packets produced by the DDoS attack are counted and the total of counts of packets is calculated, whereby the DDoS attack currently underway can be detected. This section that at a time point the DDoS attack is detected, the final stage, i.e. attack itself of the DDoS attack has already been started, and a flood of packets are flowing into the network. Therefore, even if the packets flowing in are suppressed at this time point, damage, such as delayed transmission of normal packets, has already been caused. Further, once an attack by the malicious access has been started, it is difficult to take an effective counter measure.